Referrals and Active Directory

[zbhiwandiwala]

Is there any way in which referrals can be handled in Active Directory using spring ldap.

If I set referrals to ignore, will it ignore referrals in search results and continue to the next element in the search result list?

This has become a high priority issue for us.

We simply want to query all the users from the root domain, but keep getting partial result exceptions, which forces us to look at specific dn's.

[rasky]

You may use the 'referral' property on your ContextSource. Setting this to 'follow' (Java JNDI/LDAP setting) should cause referrals to be followed automatically. This will require all referred servers to be properly set up with regards to DNS names etc., which appears to be a common cause for problems.

[zbhiwandiwala]

I supplied the JNDI/Ldap property for referral as follow.

For a customer we still get PartialResult Exceptions.

I need help in the following regard

1. Is there any documentation on how the servers should be set up when they have referrals? The customer has an Active Directory Server. Can you explain in more details about setting up DNS names correctly.

2. If they do have referrals, but don't want to follow them can we in code skip referral and continue searching.

3. Using JNDI, can we list all the referrals in a ldap tree.

[davdres]

I've not personally dealt with this issue. But maybe this is an issue your running into. http://www.mail-archive.com/cas@tp.i.../msg00797.html. Also note: http://jira.springframework.org/browse/LDAP-9

[ronaldwroberts]

I am using Spring and Spring Security 3.0.2.RELEASE. I continue to receive the error:

Code:

Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: 
Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: 
Lexical error at line 1, column 5.  Encountered: ":" (58), after : ""

I have read the posts about referrals and adding a base environment property to the context Source bean to include the java.naming.referral value of follow, but that seems to do nothing to alleviate the problem.

Here's the pertinent security file:

Code:

	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="${ldap.url}"/>
        <beans:property name="userDn" value="${ldap.binddn}"/>
        <beans:property name="password" value="${ldap.bindpassword}" />

        <beans:property name="baseEnvironmentProperties">
            <beans:map>
                <beans:entry key="java.naming.referral">
                    <beans:value>${ldap.java.naming.referral {= "follow" in properties file}}</beans:value>
                </beans:entry>
            </beans:map>
        </beans:property>
    </beans:bean>
    
	<authentication-manager alias="ldapAuthManager">
		<ldap-authentication-provider 
			server-ref="contextSource" 
			user-search-base=""
			user-search-filter="${ldap.user.searchfilter}"
			role-prefix="${ldap.role.prefix}"
			user-context-mapper-ref="ldapUserDetailsContextMapper"
		></ldap-authentication-provider>

</authentication-manager>

Really stuck here... any input appreciated.

[zbhiwandiwala]

Trying querying the global catalog in AD.

Look at java sun forums in jndi.

Referral exceptions are apparently not generated.

I think the port is 3869 for Global Catalogs everything else remains the same.

[ilovecoding]

Hi zbhiwandiwala,

Do you able to solve this problem? Currently, we are having similar problem too. We are getting javax.naming.PartialResultException: [LDAP: error code 10 - Referral] upong calling the binding and rebinding method of LdapTemplate. This is also already a hot issue. Brrrr...


Please help if you have solution on this.



Many thanks. Your help is highly appreciated.

[zbhiwandiwala]

For your ldap port use Global Catalog port.